blob: 97cb81e1974787580400048382db551f32780b28 [file] [log] [blame]
id: GO-2022-0534
modules:
- module: github.com/runatlantis/atlantis
versions:
- fixed: 0.19.7
vulnerable_at: 0.19.6
packages:
- package: github.com/runatlantis/atlantis/server/controllers/events
symbols:
- DefaultGitlabRequestParserValidator.ParseAndValidate
summary: Timing attack in github.com/runatlantis/atlantis
description: |-
Validation of Gitlab requests can leak secrets.
The package github.com/runatlantis/atlantis/server/controllers/events uses a
non-constant time comparison for secrets while validating a Gitlab request. This
allows for a timing attack where an attacker can recover a secret and then forge
the request.
published: 2022-08-11T20:54:51Z
cves:
- CVE-2022-24912
ghsas:
- GHSA-jxqv-jcvh-7gr4
credits:
- cedws
references:
- fix: https://github.com/runatlantis/atlantis/pull/2392
- fix: https://github.com/runatlantis/atlantis/commit/48870911974adddaa4c99c8089e79b7d787fa820
- web: https://github.com/runatlantis/atlantis/issues/2391
- web: https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRUNATLANTISATLANTISSERVERCONTROLLERSEVENTS-2950851
review_status: REVIEWED